Security Policy — DataScreenIQ

🔒

Found a vulnerability? Email us directly at [email protected]. We aim to acknowledge all reports within 48 hours.

Our commitment

DataScreenIQ is committed to keeping our API and infrastructure secure. We appreciate the work of security researchers who help us identify and responsibly disclose vulnerabilities. This policy outlines how to report issues, what to expect from us, and what scope we consider in-bounds for research.

Reporting a vulnerability

Please report security vulnerabilities by emailing [email protected]. To help us triage and respond quickly, include:

A clear description of the vulnerability and its potential impact
Step-by-step instructions to reproduce the issue
Any relevant URLs, request/response payloads, or screenshots
Your assessment of severity (critical, high, medium, low)
Whether you have already disclosed or plan to disclose this publicly

Please do not open a public GitHub issue or social media post for security vulnerabilities. Responsible disclosure gives us the opportunity to fix the issue before it can be exploited.

What to expect from us

Milestone	Target timeframe
Initial acknowledgement	Within 48 hours
Triage and severity assessment	Within 5 business days
Fix for confirmed critical issues	Within 14 days
Fix for confirmed high/medium issues	Within 30 days
Public disclosure coordination	Agreed with reporter

We will keep you informed throughout the process and notify you when the issue is resolved. We will credit researchers who report valid vulnerabilities unless they prefer to remain anonymous.

In-scope

The following assets are in scope for security research:

The DataScreenIQ API at api.datascreeniq.com
The dashboard at datascreeniq.com/dashboard
Authentication and API key management flows
Billing and account management endpoints
Any subdomain of datascreeniq.com

Out of scope

The following are out of scope and should not be tested:

Denial of service attacks (volumetric or application-layer)
Social engineering or phishing attacks targeting our team
Physical security of infrastructure
Automated scanning without prior written approval
Vulnerabilities in third-party services we use (Cloudflare, Stripe, etc.) — report those directly to the vendor
Issues requiring unlikely user interaction or physical access to a target's device

Safe harbour

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith in accordance with this policy. We consider security research conducted under this policy to be authorised. We ask that you:

Only test against your own accounts or test accounts you have created for this purpose
Do not access, modify, or delete data belonging to other users
Do not disrupt or degrade the Service for other users
Stop testing and notify us immediately if you encounter any user data
Keep vulnerability details confidential until we have confirmed a fix is in place

Our infrastructure

DataScreenIQ runs on Cloudflare Workers at the edge. Raw payload data is never stored — all screening happens in-memory. Only aggregated quality metrics (schema fingerprints, health scores, null rates) are persisted. Our authentication uses hashed API keys with a KV cache layer. Understanding our architecture may help you focus your research on the most meaningful attack surfaces.

Contact

For all security-related disclosures, email [email protected]. For general product enquiries, use [email protected]. This security policy is also published at /.well-known/security.txt.